From 3bed887949e87cc010b69bb247e30132e92057d2 Mon Sep 17 00:00:00 2001 From: Robin Watts Date: Fri, 4 Jan 2013 15:24:15 +0000 Subject: Attempt to fix SEGVs seen in fax decoder. Talking to zeniko, he reports that SEGVs still occur in find_changing within the fax decoder; he doesn't have an example that shows the problem though (either one he can share, or one he cannot). Presumably he has some sort of online feedback thing in the event of crashes. Having stared at the code for a while, I see a potential problem. I think the code may read too many bytes in the case where we are entered with x already within the last byte of w. (i.e. where x >= ((w-1)>>3)<<3). Fixed here. --- fitz/filt_faxd.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'fitz/filt_faxd.c') diff --git a/fitz/filt_faxd.c b/fitz/filt_faxd.c index d5d636f6..463d9de1 100644 --- a/fitz/filt_faxd.c +++ b/fitz/filt_faxd.c @@ -218,11 +218,23 @@ find_changing(const unsigned char *line, int x, int w) * we started from) */ m = mask[x & 7]; } + /* We have 'w' pixels (bits) in line. The last pixel that can be + * safely accessed is the (w-1)th bit of line. + * By taking W = w>>3, we know that the first W bytes of line are + * full, with w&7 stray bits following. */ W = w>>3; x >>= 3; - a = line[x]; + a = line[x]; /* Safe as x < w => x <= w-1 => x>>3 <= (w-1)>>3 */ b = a ^ (a>>1); b &= m; + if (x >= W) + { + /* Within the last byte already */ + x = (x<<3) + clz[b]; + if (x > w) + x = w; + return x; + } while (b == 0) { if (++x >= W) -- cgit v1.2.3